Efficient chosen ciphertext secure identity‐based encryption against key leakage attacks

• Published in: Security and communication networks Vol. 9; no. 11; pp. 1417 - 1434
• Main Authors: Sun, Shi‐Feng, Gu, Dawu, Liu, Shengli
• Format: Journal Article
• Language: English
• Published: London John Wiley & Sons, Inc 25.07.2016
• Subjects: chosen ciphertext security; Communication networks; Computer information security; Construction; Data encryption; Encryption; full security; identity‐based encryption; key leakage attack; Leakage; leakage resilience; Mathematical models; Messages; Public Key Infrastructure; Security
• ISSN: 1939-0114; 1939-0122
• DOI: 10.1002/sec.1429

Due to the proliferation of side‐channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity‐based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m≤ logp − ω(logκ), where κ and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are λ‐leakage‐resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, λ≤ logp − ω(logκ), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage‐resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp − ω(logκ))‐bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage‐resilient IBE scheme with leakage ratio up to 1/4. Copyright © 2016 John Wiley & Sons, Ltd. We put forward two new leakage‐resilient chosen ciphertext attack (CCA)2 secure identity‐based encryption schemes in this work. The first overcomes the undesirable shortcoming that the leakage parameter and the message length depend on each other and thus can tolerate a larger amount of key leakage and support a larger message space. The other is based on Alwen et al.'s scheme, which has the same message space as with Alwen et al. but can achieve a higher leakage ratio up to one‐fourth. Thus, it can tolerate a relatively larger amount of leakage and achieve a better security.